Disable state computer objects after 30 days

Rick Angel 36 Reputation points
2021-01-25T22:26:22.907+00:00

We've been using the DOS command "dsquery computer -inactive 13 | dsrm -subtree -noprompt -c" to remove computers more than 90 days stale. I would like to add something to disable the accounts after 30 days. Is there a command similar to dsrm that would disable but not remove?

Second question. Is there a way to specify days rather than weeks? 13 weeks equals 91 days so that math works out well for a 90-day policy. 4 weeks is 28 days, but I prefer to use syntax that is exactly 30 days if that is possible since this will be documented in a company security policy.

I've seen some PowerShell examples but they all were calculating stale based on LastLogon which yields different results from dsquery. So if there is a PowerShell equivalent of dsquery I'm happy to use that instead. Please advise. Thanks.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,899 questions
Accepted answer
  1. Thameur-BOURBITA 32,586 Reputation points
    2021-01-27T23:10:51.923+00:00

    Hi @Rick Angel

    Thanks for the reply. After running this command how do I see the list of computers more than 30 days inactive? This command run by itself seems to list all computers in the AD. Then I after seeing the list I would need to be able to disable them. I could use "Set-ADComputer -Remove" to delete the computers but I would prefer to disable them first and delete them later. Do you have any suggestions? 

    #The first command let you to disable all inactive computer since 30 days  
 Get-ADComputer -filter (Enabled -eq '$True')  -Properties PasswordLastSet | Where {$_.Passwordlastset -ge (Get-date).AddDays(-30)} | Disable-ADAccount  
  
  
#The second command let you to delete disabled and inactive computer after 60 days   
 Get-ADComputer -filter filter (Enabled -eq '$false')  -Properties PasswordLastSet | Where {$_.Passwordlastset -ge (Get-date).AddDays(-60)} | Remove-ADobject

    You can customize the command above following to your needs.

    ----------

    please don't forget to mark helpful reply as answer

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Thameur-BOURBITA 32,586 Reputation points
    2021-01-25T23:05:55.79+00:00

    Hi,

    You can get the inactive computer list based on PasswordLastset value instead of lastlogon. 

    Get-ADComputer -filter * -Properties PasswordLastSet | Where {$_.Passwordlastset -ge (Get-date).AddDays(-30)}

    Please don't forget to mark helpful reply as answer

  2. Hannah Xiong 6,231 Reputation points
    2021-01-26T08:30:15.783+00:00

    Hello,

    Thank you so much for posting here.

    Hope something here might be helpful.
    https://gallery.technet.microsoft.com/scriptcenter/Move-and-disable-inactive-b1cf86c3#content

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  3. Lazar Petrov 1 Reputation point
    2021-09-15T09:17:23.143+00:00

    What recommendations do you guys use for deciding when a object should be removed/disabled etc. ?

    0 comments